tv [untitled] March 27, 2012 10:00am-10:30am EDT
engagement. the department's conducting a review of the joint staff of existing standing rules of engagement on cyberspace. these revised standing rules of engagement should give us authorities we need to maximize preauthorization of defense responses and empower activity at the lowest level. issues being ironed out are what specific he set of authorities we will receive conditions in which we conduct response actions and we expect those will be done in the next few months. d.o.d.'s role in defense against cyberattacks, the defending the nation in cyberspace requires coordination with several key government players, notably, dhs, the fbi, the intelligence community. i'd like to put some of those on the table because it is my opinion that we need all three working together as a joint team. dhs has to lead for coordinating overall national effort to enhance cybersecurity of the u.s. critical infrastructure.
they lead in resilience and preparing the defense. fbi has lead for detection investigation prevention and mitigation response within domestic arena under their authorities for law enforcement, domestic intelligence, counterintelligence, and counterterrorism. and of course d.o.d. and nsa and cybercommand lead for detection, prevention and defense in foreign space. defense of the nation comes under if the nation comes under attack. i'd line to go into a few, if i could, a little bit on what i see we need in cyberspace. the requirements to defend the nation from attack, because there's been a lot of discussion on this and i think it's important to put this up front. i think this is the heart of some of the discussion that's going on with the legislation today. first, we need to see the attack. what do i mean by that? that was a quote that we made up at the fordham university. if we can't see the attack, we
can't stop it. what we're not talking about is putting nsa or the military into our networks to see the attack. what we're talking about that all of you have put on the table is, we have to have the ability to work with industry, our partners, so that when they are attacked or they see an attack, they can share that with us immediately. the information sharing and the liability that goes along would allow industry, armed with signatures that we can provide, signatures that they have i agree it takes all of us working together to provide a better defense. what we need is for them to tell us that something is going on. there's a couple of analogies that i'd like to use. these are not perfect analogies, just best that i can come up with. being in the armed services committee here i use the missile analogy. if a missile were coming into the country and we had no radars to see it, we couldn't stop that missile. if we have a cyberattack coming
in and no one tells us that that's that cyberattack is going on, we can't stop it. today, we're in the forensics mode. what that means is, an attack or an exploit normally occurs, we're told about it after the fact. i think we should be in the prevention mode in stopping that. a lot of that can be done by industry. i think that industry should have the ability to see these and share that with government in real-time. when you think about it it's almost like the neighborhood watch program. somebody's breaking into a bank, somebody needs to call the authorities to stop it. in cyberspace, what we're saying is armed with the signatures, the software, those things that help us understand an attack is going on we believe that industry is the right ones to tell the government that they see that, and get us respond to it. so i just want to clarify, because i do not believe we want
nsa or cybercommand or the military inside our networks watching it. we think industry can do that. we think that's the right first step. and we think actually that's in both of these bills. the second part, i used that bank one because i think there's another part to this, that we have enforced within d.o.d., and that's what standards do we bill our networks to? how much of a defense do we put in there? how do we make our defense better? we have put in a series of defensive capabilities, if you will, standards that we operate and defend our networks. how do you align your networks, how do you know they're configured right? how do you make them defensible so they will last when somebody's trying to get? i -- we have a great information assurance directorate and one of the former directors told me that 80% of the exploits in attacks that come in could be
stopped just by the hygiene itself. chairman, you also brought up the issue of the carnegie melon report and i would like to hit some of that because i do think that's an important report, and it has -- it really applies to this discussion that we have going on now. as i have stated previously, that report and that assessment was early on in the d.i.b. pilot. that done mean that we can't do better. in fact, let me turn that around and say, for us to be successful in cyberspace, it's going to require government and industry working together with best of both. industry partners see signatures that government doesn't see and government sees signatures or militia software, exploitations and attack into the country that industry doesn't see. information sharing and the ability to do that is key to stopping that. what i see from the d.i.b. pilot was increased discussion between
government and industry, and this was a good thing. and it has grown. it continues to grow and we're getting better. so in legislation, what i think is we need to make the first step. we need to start. we won't get it perfect but we need that ability for industry to share with us the fact that these attacks and expoits are s exploits are going on. we cannot stop them, we cannot help. five areas that ifo cussed on with the folks at u.s. cybercommand. first, we have to build and train cyberforces and these are things that bob kehler and i are arm and arm on. second a defense ibl architecture. you mentioned 15,000 enclaves and our antiquated architecture, if we went to the way google, yahoo! and others are doing in the defense department we'd have a more defensible architecture and that's the way we are pushing, and the services are helping us get there. i think we have to partner with
dhs and fbi. the reason that i bring dhs into this is that, i believe we want them working with rest of government to help set up the rest of government networks and work with that. we do not want to take the people that i have and push them over here. i think we want people that we have looking outside and that goes to senator mccain's comments, we're the offensive force. we're the ones that are going to protect the nation, we need to see what's going on and be prepared to do that. we can give and work with dhs and provide capabilities and technical expertise, and that's growing. finally, i'd add in fbi. they have some tremendous capabilities, they have the law enforcement arm, and when you put all three of us together, i think our country knows that what we're doing is transparent and we're doing the right thing. in doing that, you've brought all three players to the table. i see command and control in partnership is key, especially with our allies, and i'd put the
allies on the table because this is going to be huge for our future and the concept of operating in cyberspace we mentions earlier. so, it is an honor and privilege to represent the soldiers, sailors, air american, marines and civ andi civilians of u.s. cybercommand today. a thank you. i'd ask my statement for the record be included on the record. and that's all i have, chairman. >> thank you so much, general. the statement will be made part of the record. we'll start with a seven-minute first round. general kehler, first, do you support the fiscal year 2013 budget request? >> yes, sir, i do. >> general kehler, you made reference to effective nuclear command and control network that needs improvement, i believe, in your opening statement.
are those efforts under way to modernize that command and control network? can you describe those efforts a little bit? >> yes, sir, i can. of course as you know the nuclear command and control system is composed of many, many parts. there are parts of the nuclear command and control system that are not survivable. there is, however, as part inher rent in the nuclear command and control systems a thin line that ultimately would be survivable under any conditions, so that we could always ensure that the president of the united states is connected to the nuclear forces. investments are under way in those critical capabilitcapabile capabilities that are part of the space architecture layer. of course dhs satellites, the first one is on orbit, the second will go to orbit in the next year, i don't have the
exact date. that will be the satellite-based survivable part of our thin line network, as we go forward. we have some issues with terminals and terminals lagging deployment of the satellites. that means we have to use older terminals we won't get the full capability of the satellites at first. we're working that program. we have some issues to make sure that our bomber connectivity is maintained. the air force program supports that. and so i am comfortable that we're going forward there to maintain the connectivity at the force end of this. we're also upgrading some of our other components to the network, ground-based parts of the network, et cetera. i believe i will always be a little uncomfortable about the network. i will tell you that i think there's more to be done. we are working that inside the department for future budget requests and in fact, we're under taking a fairly substantial review at this point
in time about the nuclear command and control system and how it does or doesn't support other issues as well. >> thank you, general. the 2010 nuclear posture you call out for studying additional reductions in nuclear weapons, do you think it is possible to further reduce our nuclear weapons s beyond the new start levels? >> mr. chairman i think there are opportunities to reduce further, but i think there are factors that bear on that ultimate outcome. and rather than get into those, and i don't think would be appropriate, i would simply say i do think there are tu opportunities here but recognizing there are factors that bear on this. i would also mention it is never our view that we start with numbers. we start with an assessment of the situation we find ourselves in, the strategy, our objectives, et cetera, and ultimately then you get to numbers. >> thank you.
general alexander, are you advocating for any additional legal authorities that are not included in the cybersecurity legislation that was proposed by the administration to congress or that's included in the lieberman-collins bill? >> no, chairman. >> industrial espionage campaign, i noted in my opening statement, and you made reference to it in your statement, particularly china's relentless industrial espionage campaign through cyberspace, i wonder, can you give us examples in open session of the technologies that have been stolen through penetration of major d.o.d. contractors and perhaps the department itself? and do you know whether or not, in fact, we have raised this
issue, particularly vice president biden, with the chinese? >> senator, i'm not aware on the last what vice president biden has shares with the chinese that discussion. but we are seeing a great deal of d.o.d.-related equipment stolen by the chinese. i can't go into the specifics here but we do see that from defense, industrial-based companies throughout. there are some very public ones, though, that give you a good idea of what's going on. the most recent one, i think, was the rsa exploits. rsa creates the two factor a authentication for things like paypal so when you order something and pay for it over the network the authentication is done by encryption systems that rsa creates. the exploiters took many of those certifications and
underlying software, which makes it almost impossible to ensure that what you're certifying or what someone else is certifying is in fact correct. now rsa acted quickly, and is replacing all of the certificates and has done that in priority order for the defense department and others. but when you think about it, the ability to do it against a company like rsa is such a high order capability, rsa being one of best, that if they can do it against rsa, that makes most of the other companies vulnerable. >> well, we took some action on the counterfeiting area in our defense authorization bill to try to stop that type of theft, particularly, again, by the chinese when it came to the supply of parts for our weapons systems. we -- i think it would be important for you to talk to vice president biden or his office so that you can see what
steps were taken to inform the chinese of our position on this. and we've now got to find ways -- and i think you're the perfect person to be a spokesman for this -- to stop their theft of other kinds of intellectual property through the use of cyber. and i wonder if you could give us some examples of -- give us some options. i think senator mccain also made reference to this. what are the options for us in terms of action for them or anyone else who is stealing our information, our enlech actual property to pay a price for this? >> well, i suppose using the rest of stratcom would be out, chairman. i think the first -- the first thing that strikes my mind, and i want to be clear on this
because the most important thing that we can do right now is make it more difficult for the chinese to do what they're doing. analogy i put on the table is, we have all of our money in our banks but the banks have the money out on tables in new york city at the park. and we're losing the money and we're wondering why, nobody's protecting or it's not well-protected. our intellectual property's not well-protected and we could do better protecting it. step unis take those steps to do that. i do think what the department is doing, you asked for authorities that would need legislation, i think those are in the legislation, and what the department is doing with the authorities we already have is maturing the standing rules of engagement that would allow us st stop some of the exploits going on. i think those are some of the things we can do, stop them in progress. as an example, we saw an
adversary trying to take about three giga the gu gigabytes from our contractors. the issue is now we had to work in human space to reach out to them to say they're trying to steal something you, you've got to stop it. there's got to be a better way to do that because that's like going at network speed, trying to send a regular mail letter to them that you're being attacked. so we've got to bring this up into the network age to get these responses out. so i would advocate, and i think the way we're going is, to, one, bill our defense and two have options that would stop it. beyond that, i think the president and secretary need options that would take it to the next step. these are not options that we would take but these are options that we would propose the administration. if they exceed certain limits, i think it is our responsibility jointly and with the co-coms to
say these are actions to take on stopping the act and here's what we propose to be done. i think our job would be to defend and protect astop some attack analogous to the missiles coming in and give the administration options to take it to the next step if they chose. those include cyber and other options available. i think the white house has put that forward in their cybersecurity thoughts. >> thank you. senator mccain? >> i want to thank the witnesses. i would ask general alexander, do you agree that secretary panetta and the fbi have said that cyberattacks may soon be the number one threats to the united states? >> absolutely, senator. >> and would you agree that a major threat to our national security come from outside the
united states? specifically, obviously, from unclassified information from china? >> absolutely. >> absolutely. so then what's the logic in providing the overall authority to the department of homeland security? anyone who has been through an airport, as i do regularly, as most of us do, have no confidence in the technological capabilities of the department of homeland security. in fact, as an example, nothing has changed as far as airport security is concerned since probably september 12th, 2011. so the major threat comes from overseas. what would be the logic, then in making the lead organization the department of homeland security? >> senator, i think the issue, if i could, i want to break this out into three areas to make sure my responses -- >> make it brief. i have additional questions. >> yes, sir.
i see three major things. we want dhs to take the lead on resilience and working with civilian agencies in critical infrastructure. we want d.o.d. to take the lead on defending the nation under cyberattack, fbi under law enforcement, and intelligence. and i think all three of us are need to work together as a joint team to move this forward. if we don't work as a team, then the nation suffers. so inside the united states, that's where i think dhs has the lead. they don't in terms of the foreign and the things coming in, that's where you'd want us to have the lead. >> how many people are under your command? >> in cybercommand, counting our service components, a little under 13,000. >> so we now have 13,000 in cybercommand recently formed up, so now we need other agencies. why shouldn't the responsibility lay with -- lie with cybercommand? >> senator, i do think the responsibility for defending the
nation against attack lies within cybercommand out. i think the lead for working with critical infrastructure and helping them defend and prepare their networks should lie with dhs. >> that's a curious logic, general. in fact, most curious. so really, all we formed up cybercommand for was to worry about external threats? is that what you're saying? >> i -- >> so if department of homeland security should take the lead of anything that happens in the united states from outside, but you are still there with your 13,000 people? >> not quite that way. probably i'm not clear enough on this. in terms of dhs' role and responsibility it's working with critical infrastructure and other government agencies on developing the standards in the protocols of how they build their networks and to be the
public interface. i think that's the role that we want them to do, and their people reach out with critical infrastructure and make sure those government systems are adequately developed. if they're attacked, no matter where that comes from, now i think the president has options of what he can do. we are one of those sets of options and if chosen, we are prepared to do that. more importantly, where those people really come in is in our offensive capabilities. you asked that earlier. so the offensive capabilities would be to support the other combatant commands in their plans and capabilities. the bulk of our people -- >> so your job is to support other commands with their offensive capability? general, one of the conclusions of the 9/11 commission was there's too much stove piping in our intelligence community. you're describing stove piping to me at its ultimate. >> well, that's not the intent. if i could go one point further,
the bulk of our forces are folks that operate and defend the d.o.d. networks. that's where we are today. the bulk of them are operating and defepnding our networks. think about what the army, navy and air force do in operating and defending the networks, that's the first mission that u.s. cybercommand was given. we are developing the second parts of that. but i would point out when you say stove pipe, senator i do not agree with that because this is an integrated network. it is one network trying to work everything together. so it is just the option of a stove pipe. >> it's interesting that michael mcconnell, at george washington university, former director of national intelligence said current u.s. cyberdefenses are work and the bills on capitol hill are insufficient. the former director of national intelligence has a significant disagreement with your assessment. so, according to a reason
article in "the washington post," the white house blocked draft legislation that would have given nsa or any government entity the authority to monitor private sector networks for computer viruss are operate active defenses to block them. the nsa supported the authority but the white house did not according to administration official blocking of the draft caused some consternation because nsa want to get that authority. there are some who propose that nsa should be able to detect but not read the cyberattack information. do you agree or disagree with that? >> i disagree. i think the approach that we have put on the table is the appropriate one, which is we give that to industry, they can look at that and when they see that, tell us. i think that's the first right step, senator. i think if we go too far it sends the wrong message.
i think we can take this journey and learn as we go on it. >> so you believe that d.o.d., general cartwright said that -- stated the former vice president of the joint chiefs of staff said d.o.d. is spending 90% of its time playing defense against cyberattacks and 10% playing offen offense, and that department should invert the defense/offense ratio to signify that a cyberattack on the united states will have negative consequences. and your answer, as i understand it is, well, we'll act in some -- in some way or fashion. perhaps you can be a little more specific how we can regain, how can we can gain the offense here. >> i agree with his statements and i'd like to characterize it if my word if i could, senator, in that more than 90% of our force was developed -- all of our force in cyber as we started was on the defense and operate.
we didn't have an offensive capability. what we're looking at how do we grow that cape ibilty. if you think about what we have within our fleets, air wings and brigades is the operate and defend cape ibilties. the offensive capabilities primary lies in exploitation capabilities of nsa and others. we're developing those. i agree we need to develop those more and faster, and we're working on that with the services and that's part of our growth plan. i think in terms of this, senator, i don't want to give you the impression that i don't believe we should defend the united states. i do. but i do think we can do that in a way that works with industry without having us in the middle of the network read. they share the information with us and i think that's the right, first step to take. >> according to industry does not need additional regulations. they need ability to share information, which is our proposal, rather than additional new government regulation implemented by probably the most
inefficient bureaucracy that i have ever encountered in my number of years here as a member of congress, the department of homeland security. wasted $887 million on a virtual fence on the arizona/mexico border, has made not a single technological advance as far as airport security is concerned to ease passengers' transit from one place to another, and has shown an incredible ability to illustrate inefficiency at its best. i thank you, mr. chairman. >> thank you, senator mccain. senator lieberman? >> thanks, mr. chairman. thanks to both of you. my friend from arizona. i have a disagreement. i want to come to the defense of the department of homeland security. the fact is that we haven't had a major terrorist attack on the u.s. since 9/11 and you have to give the leadership, bipartisan, over two administrations, and the thousands of people who work
at dhs, some credit for that. secondly, in terms of the stove piping, i think a better analogy here, and it's not a perfect one, it's to compare the relationship between the cia and the fbi to the relationship between cyber command, nsa and dhs. cia has authority outside of the united states of america. the fbi has authority -- this is -- speaking about terrorism, for instance or threats to the nation -- fbi has authority within the country. the problem before 9/11 is there they weren't stove piped, they weren't cooperating enough. in the same way nsa cybercommand, as you said, has the responsibility to protect america. it's a jewel. it's a national treasurer from attack along with many other, cyberattack, along with many other responses that you have. dhs has a domestic responsibility, a preventive
responsibility. and in that sense it's different unless expansive and fbi and the other case. the interesting thing that you've testified to, and i think senator mccain was inhering, is that you are building exactly the kind of cooperative relationship between nsa cybercommand, dhs, and the fbi that didn't exist before 9/11 and the fact is, senator mccain and i introduced an amendment to the national defense authorization act last december that codifies in law the working agreement between nsa and dhs. so i know -- incidentally, i would say this for the record -- i've talked to admiral mcconnell, a former dni, i've heard him speak in a public set, he thinks both bills are not strong enough. but if you ask him, do you prefer the secyber security actf